Hacker News new | past | comments | ask | show | jobs | submit login
Apple in China: who holds the keys? (cryptographyengineering.com)
215 points by auslander on Feb 23, 2018 | hide | past | web | favorite | 119 comments

> Where Apple provides overwhelming detail about their best security systems (file encryption, iOS, iMessage), they provide distressingly little technical detail about the weaker links like iCloud encryption.

Sounds like the author missed Apple's BlackHat 2016 talk. It goes into lots of technical detail on Cloud Key Vault.[1] Well worth watching -- and a very cool implementation of a secure backup system designed for "adversarial clouds".

It's pretty cool how it retains end-to-end encryption of your keychain while also backing it up to untrusted clouds. Basically it employs Hardware Security Modules that limit recovery attempts to 10 tries before destroying the data, thus protecting against backend brute forcing and allowing you to use your relatively weak device passcode to encrypt the backup. And here's the kicker -- they put the HSM firmware signing keys in a blender so even an adversarial government can't force them to modify them.

Update: I guess he did watch the video (he previously wrote a whole post on it). So I'm not sure what he thinks is missing, or maybe I misunderstood and he's only complaining about non-keychain data encryption.

[1] https://www.youtube.com/watch?v=BLGFriOKz6U&feature=youtu.be...

I think the author is looking for written documentation and reference material, not a presentation that may be outdated and not apply to this situation. I concur with the author, this should be available in clear unambiguous docs. Instead, many are unfortunately forced to point to old videos and depositions as reference material.

August 2016 is not that old, it clearly applies to this situation (“adversarial clouds”), and also the salient points are documented in the iOS security white paper which is updated annually: https://www.apple.com/business/docs/iOS_Security_Guide.pdf

And why should we assume that every cloud is the same? The china cloud might be different in tiny but important ways.

Or all the clouds might have 'evolved' a few minutes ago to comort with some new apple policy. This is all about trusting a corporation. I still prefer to handle my own encryption, keeping my keys how and where i like.

Nobody is assuming that. The whole point is it can store secrets on adversarial clouds. The key stays with the client.

The author, in fact, has specifically written an article on the talk you mention: https://blog.cryptographyengineering.com/2016/08/13/is-apple....

Matthew Green is a capable cryptographer who engages with the wider security community and practical encryption a lot (e.g. https://blog.cryptographyengineering.com/2016/03/21/attack-o... if you're interested in this kind of thing, I'd recommend following him more closely (e.g. on Twitter.)

Apple still could release a software update that would update the HSM firmware to remove the limit of ten tries before the keys are lost.

Mentioned here: https://9to5mac.com/2016/02/25/apple-working-on-stronger-icl...

You're confusing the behavior of the device with the behavior of the HSM modules used for iCloud storage.

eridius is right. Apple cannot update the firmware of the backend HSM clusters without data loss. (If you believe what they say.) They literally throw the signing keys into a blender. The article refers to device firmware not the iCloud backend.

Yeah, I got confused by HSM and Secure Enclave. I still think it is crackable given it is all secured by a user’s pin which can be verified on device by software Apple controls.

Of course Apple controls the software. Apple or any manufacturer could push an update overnight that disables all encryption and transmits your data to Donald Trump or whoever they want the next time you enter your passcode. There’s exactly zero “security researcher insight” in observing that.

The question is, if you trust that iOS and iCloud work the way Apple says they do (under oath), how vulnerable are they to an adversarial cloud. They have designed a system to keep your keychain safe under these conditions.

Agree they aren’t vulnerable to a rogue cloud for keychain data.

The attack is that you force Apple to update the OS for a person’s device w/ evil firmware. Then you crack the device by guessing the pin in a brute force manner. Then you unlock the data from the HSM with that guessed pin.

The conversation is about recovery of data stored off-device e.g.: on Apple's servers. There wasn't a discussion about recovery of information when the physical device is present.

HSM is a term used exclusively for server hardware, I believe. I know Apple devices (and some Android) use secure enclaves, but I don't believe they are referred to as "HSM"s.

I know. I conflated HSM and Secure Enclave incorrectly.

I agree Apple does well in the security arena, but they should do more to prevent software updates without erasing the device if the security key is not available.

Also, the article stated this: “In short: Apple has designed a key vault that even they can’t be forced to open. Only customers can get their own keys.”

That was the part I was arguing with. Apple can get the keys if they were compelled to.

But they can't be compelled to.

If Apple has access to the data, the government can compel them to turn it over. The whole point of this setup is that Apple doesn't have access to the data, because they can't get the keys, and they can't reconfigure the HSM to give it to them.

Now yes, they could in theory change iOS and push out an update to everyone that breaks the security model. But the government¹ can't compel them to do that. The government cannot compel them to materially change their product and break one of the major advertised features of the device.

¹I'm assuming US government here. The rules would be different in China, but I guess China knows that even they can't compel Apple to break the security model of the device in this way, Apple would rather leave China than do it.

This is covered in the blog post:

>With one major exception — iCloud Keychain, which I’ll discuss below — iCloud fails the mud puddle test. That’s because most Apple files are not end-to-end encrypted.

The blog post is saying that iCloud backups are not protect from Apple, except keychain backups. So your files, messages, etc are not protected from Apple. And the video you posted seems to only be about keychain backups.

Quick question: if a user is under camera based surveillance and they type in their PIN, does that allow someone holding their data to decrypt it?

Because apparently China is putting cameras everywhere, and it stands to reason they could have a module that monitors for PIN entry and records it. Even at my workplace in the US I try to avoid entering my PIN near security cameras.

The answer to this used to be no, but iOS 11 made a number of changes that I don't fully understand yet; I think the answer is still no unless you have the device then you may be able to get an iCloud reset token.. but don't take my word for it. (at that point they already have your device though eh?)

As a side note I think people vastly underestimate how easy it is to capture you typing your password on a phone screen.. especially when you put it in the context of complaining about minor security implications of TouchID or FaceID. I would suggest it's typically much easier to watch you typing a password than to clone your TouchID .

In the US, though, TouchID and FaceID are liabilities because the police can compel you to provide your fingerprint and face.

There are some protections against exactly this.

If its been more than 48hrs since you last unlocked the phone or you turned off the phone, it will require your password again.

You can also discretely disable Face ID by holding down power and a volume button.

I am curious if android has the ability to quickly disable fingerprint unlock if you are in adversarial situation. So it only asks for passcode.

If you reboot the phone then it’ll only accept the PIN to unlock, at least on newer versions.

Or just use the wrong finger a couple of times.

Snowden hides under towel to type passwords :)) https://youtu.be/4EgTXEn15ls?t=37m31s

I could not help but notice the dissonance between Laura Poitras arriving at 'Newark Liberty International Airport' and how she was treated there. For small values of Liberty I guess.

It's simply harassment, the kind that I would have expected in former Eastern Germany, Poland, Russia or any other state like that.

Furthermore, clicking the above link actually displays a message saying the video is not available for viewing in the US...

That's odd, it works for me.

Sorry. I edited to add that it's based on country - information control (and its associated ambiguity) being another quality of totalitarianism.

It clearly says it's blocked by the Weinstein Company, who owns the US rights.

There's always a justification.

Does a towel stop the wifi-based attacks?

According to this (1) since iOS 11 update PIN code is now a single point of failure, if know PIN and have access to device (or probably Apple made data dump on Chinese servers) you can have everything.

(1) https://blog.elcomsoft.com/2017/11/ios-11-horror-story-the-r...

Was curious about this as well. It would be a huge oversight if the encrypted blobs could be decrypted with a 4 - 6 digit pin. Couldn’t it be brute forced?

My amateur understanding is the pin unlocks a hardware “safe” on the device which contains the actual decryption key, requiring physicAl access to the device even if the pin was caught on security cam.

Y in X: who holds the keys? The alphabet agencies in X.

Where Y is any corporation, and X any nation. At this point, I believe any assumption otherwise is naive.

What I want to know is if I send an iMessage to someone who is, unbeknownst to me, living in or visiting China, does that mean my private information is now going to be shared with the Chinese government without my knowledge?

I get that we have “no” or very little privacy now. But I’m wondering if Apple is making it clear to users in the US that their private messages may be siphoned off and exploited by governments of countries they have never been to.

Well, which is it? Do you want to know the answer to your question, or do you already have the answer as suggested by your claim?

Well there's a contradiction. On the one hand, if I send a message to China (including unknowingly) it sounds like it would end up as part of a conversation stored on servers in China. On the other hand, Apple has a reputation as a company that cares about and protects user privacy. There's a contradiction, is all I know.

Top of article: > Beginning on February 28th, all users who have specified China as their country/region will have their iCloud data transferred to the GCBD cloud services operator in Guizhou, China. So living, most likely yes. Visiting then presumably no. But who really knows?

I'm not wondering about those people, though. I'm wondering about the people who correspond with them.

So if China demands the key, Apple will pull out of China? https://www.cnbc.com/2017/11/02/apple-china-revenue-up.html ~$10 Billion last quarter of 2017

Apple's statements to the press about this have repeatedly said [1]:

>Apple has strong data privacy and security protections in place and no backdoors will be created into any of our systems.

iMessage is end-to-end encrypted and has never been blocked in China, while services like WhatsApp are [2]. During the FBI brouhaha, the national security establishment water holders started writing op-eds on blogs like Lawfare suggesting that Apple was being hypocritical in opposing the FBI, alleging that they had already given the jewels away to China [3]. The DoJ basically parroted this in their filings to the court, accusing Apple of this outright (whether or not the op-eds were co-ordinated with the DoJ is unclear). Fortunately, this led to Apple responding to these accusations in their own filings to the court [4], including this declaration from Craig Federighi under threat of perjury [5]:

>5. Apple uses the same security protocols everywhere in the world.

>6. Apple has never made user data, whether stored on the iPhone or in iCloud, more technologically accessible to any country's government. We believe any such access is too dangerous to allow. Apple has also not provided any government with its proprietary iOS source code. While governmental agencies in various countries, including the United States, perform regulatory reviews of new iPhone releases, all that Apple provides in those circumstances is an unmodified iPhone device.

>7. It is my understanding that Apple has never worked with any government agency from any country to create a "backdoor" in any of our products and services.

>I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct.

Assuming Craig Federighi didn't perjure himself, why has China seemingly made an exception for Apple when it comes to iMessage (or iOS or iCloud)? The answer is that Apple is the only tech company that actually has leverage with the CPC in (indirectly) employing millions of workers in China. People have criticized Apple for taking down the NYT's app or VPN apps in the App Store in China and for not resisting it, but Apple is rightly picking their battles to protect the crown jewels.

[1] https://9to5mac.com/2018/01/10/apple-will-begin-storing-chin...

[2] https://www.nytimes.com/2017/09/25/business/china-whatsapp-b...

[3] https://www.lawfareblog.com/deposing-tim-cook

[4] https://assets.documentcloud.org/documents/2762131/C-D-Cal-1...

[5] https://www.documentcloud.org/documents/2762118-Federighi-De...

> Assuming Craig Federighi didn't perjure himself, why has China seemingly made an exception for Apple when it comes to iMessage (or iOS or iCloud)? The answer is that Apple is the only tech company that actually has leverage with the CPC in (indirectly) employing millions of workers in China.

Eh, there’s a simpler explanation: Basically bobody uses iMessage in China.

Employing people in China is only leverage is they can readily move production elsewhere (nope, not at that scale).

Not that it counts for nothing but the real issue here is iMessage is just a non issue for China.

But what happens if People start using it? It is like Whatsapp, it was allowed to use as long as it didn't reach a critical mass.

So in some way Apple is praying imessages not succeed in China.

I am glad the current privacy issues is not yet a problem in China. But someday Apple will have to deal with it, and unlike US where there is a system of Law to protect companies and Citizen, there isn't one in China. ( At least not by normal Western understanding of "Law" )

It all depend of China real motivation:

-publicly they state that servers need to be in China because they don’t want to hand Chinese citizen data to foreign country. This is nowhere incompatible with iMessage

- privately people suspect that China want to increase mass surveillance to a point even worse than what the USA was already doing with prism. If this is true yes iMessage is incompatible in the long run

That is a very good question. I doubt they are praying for failure though.

> It is my understanding that Apple has never worked with any government agency from any country...

Not exactly inspiring.

Here's something more unequivocal from Apple's main response [1].

>Finally, the government attempts to disclaim the obvious international implications of its demand, asserting that any pressure to hand over the same software to foreign agents “flows from [Apple’s] decision to do business in foreign countries . . . .” Opp. 26. Contrary to the government’s misleading statistics (Opp. 26), which had to do with lawful process and did not compel the creation of software that undermines the security of its users, Apple has never built a back door of any kind into iOS, or otherwise made data stored on the iPhone or in iCloud more technically accessible to any country’s government. See Dkt. 16-28 [Apple Inc., Privacy, Gov’t Info. Requests]; Federighi Decl. ¶¶ 6–7. The government is wrong in asserting that Apple made “special accommodations” for China (Opp. 26), as Apple uses the same security protocols everywhere in the world and follows the same standards for responding to law enforcement requests. See Federighi Decl. ¶ 5.

[1] https://assets.documentcloud.org/documents/2762131/C-D-Cal-1...

The rest of the quote is "...to create a "backdoor" in any of our products and services."

Which you won't be able to easily find evidence for, even if they did do it.

I don't think a doc about how they operated two years ago is still applicable is it? Especially since this is a recent "decision" by Apple. The article put it best:

> they should say explicitly and unambiguously what they’ve done

Why would they choose to be guarded and opaque? I think the silence speaks volumes...otherwise, I can't understand why it's pervasive. Can't they just be clear and transparent and answer the question we all have here and move on?

Their press statements about this "recent decision" have always reiterated that there are no backdoors.

>Why would they choose to be guarded and opaque?

I mean isn't the answer to this obvious? Sure, Apple could come out and spell this out for everyone, but this is extremely political and Apple is not going to be better served by loudly touting how they are in a privileged position relative to others because they have their own cards to play with the CPC.

"No backdoors" has nothing to do with whether the Chinese Government own and/or use the front door.

> I mean isn't the answer to this obvious?

I thought it was obvious... because they know we won't like the answer. But it seems none of us know. It is really easy, regardless of political harm, to issue statements about data privacy for one country. Not so much for another... making other public statements about citizen data privacy more hollow if they only make them when they think they can. It's a clear case of principles vs money to me.

Apple can break end to end encryption if it wants to by introducing another device they control as a receipient for iMessage messages.

True! But this also would be detectable by security researchers monitoring the output of devices. Just comparing bandwidth usage would reveal if there is an extra recipient.

Not if you weren’t a security researcher though, assuming this was a targeted attack.

Look, if Apple is the adversary and willing to lie under oath then there’s not much anyone could do. They could sign and push crafted firmware to a target device, game over.

The question at hand is, if you trust that iMessage/iCloud works as documented, how does an adversarial third party cloud affect it. So far it looks like iMessage and keychain are still secure end to end encrypted. Apple never had the keys to those to begin with.

With iMessage they don’t need to push anything to the device.

I think Apple should provide a way to know who you are talking to has changed rather than saying, “trust us”, we won’t do anything bad.

Actually iOS does notify you when another device has joined your trust circle. So if you pay attention to that you’d know you’re being monitored. Suppressing that would need a crafted OS pushed to the device.

iMessage is very secure. The real question is what would China do if it takes off (no one uses it there).

If you are talking to person A and they get a new phone, how do you know that happened?

You don't, and it would arguably violate their privacy if you did. But they do.

What stops Apple telling your iMessage that person A got a new phone but not telling person A it is telling your iMessage that?

See earlier comment re: Apple as the adversary.

> The answer is that Apple is the only tech company that actually has leverage with the CPC in (indirectly) employing millions of workers in China.

You can assume that or you can assume that they need the access to the huge market which would be a much higher leverage for China over Apple.

Both not more then thought experiments by people not actually having any insight.

>7. "It is my understanding that..."

I interpret that there is an implication in what is described in the article that, when you set the region on your apple device, you get region specific iCloud keys provisioned to it.

If that were the case, there is no reason why you couldn't provision from to an HSM domain that hadn't had its keys shredded.

The implied architecture is there is a secure element on the phone with a unique key provisioned to it during manufacture - likely one that is derived from one of the HSM keys at Apple. However, since Apple cannot produce this individual device key themselves to do 3rd party device decryption, they must generate keys randomly in SE hardware on the device, using the user PIN as a derivation component - and somehow use SE firmware to set a fuse on the number of PIN tries. I don't know specifically how Apple does this, but the list of secure/viable approaches is short. (edit: unnecessary if they shred hsm keys.)

I don't doubt Apple's integrity on this, given the heat they have taken over it in the west. But an "adaptation" of their infrastructure to serve that regional market wouldn't surprise me either.

I'm skeptical of any scheme, and one that isn't presented in BAN logic tends to mean protocol designers have handwaved over where they are hiding things. Good examples of this notation are here. (http://www.lsv.fr/Software/spore/table.html).

If they have weakened the scheme, the technical ways Apple may have conceded to Chinese requirements, are all discoverable.

Breakable? I doubt that's viable given the security difference is an HSM with shredded keys vs. one where the keys still exist somewhere (probably in a duplicate HSM that operates the decryption service for Chinese govt). So still at least as good as any EMV payment system.

We can speculate about how this is implemented but reality is tech companies while ubiquitous, are not sovereign. Yet, anyway.

Maybe I'm off-base, but I feel like at this point the question of "who can see my data if it's stored in China?" is a bit silly. I--for one--will just always assume that any data stored in China might as well be public.

Well, not public, but eventually accessible by those holding the guns and running the prisons. Which is still not great.

I get into many discussions like this; not sure where you are from but educated Americans I talk to do not accept their data being read by anyone except the gov in cases of terrorism. That means, in practice, the gov can read your data. What is the difference in China? Do you want all data or no data or some data and how is some data defined exactly? If this is not black and white the definitions are going to be painful and biased and how to enforce proper use?

Many Americans (but probably not the majority) don’t accept that their data is going to be read in cases of terrorism. It’s why Apple refused to backdoor their phone for the government in a case of terrorism.

Narrow warrants granted by a seperate branch of government in broad daylight is very different from this. And it’s why we need to fight to restore that norm in America. I don’t buy that terrorism is such an exceptional case that we ought to bend due process out of shape.

What little protection remains is a relic of the seventies. An interesting time in America. A time of strong resentment against the government after Vietnam and Nixon. There was a really powerful TRUE left wing in Washinton that had power.

Ofcourse even back then they never extended FISA to non US citizens. Nobody legislates the CIA.

People rag on Nixon --he's not a likeable guy, deservedly, but he also passed title ix as well as the EPA. The true left were to some extent tools of the soviet information warfare effort, which has now transformed into a alt right effort. In both cases in an effort to destabilize (weaken) the US position --but people wanna believe.

> People rag on Nixon --he's not a likeable guy, deservedly, but he also passed title ix as well as the EPA

That's fair for EPA, but Title IX wasn't an Administration proposal or, IIRC, heavily lobbied for by the Administration. Nixon signed it, but it's not really accurate to credit him with passing it. It was proposed and pushed by liberal Democrats in both houses of Congress.

And people don't rag on Nixon for his legislative agenda, but for pervasive abuse of power, including law enforcement and national security resources, for partisan and personal political purposes.

> People rag on Nixon --he's not a likeable guy, deservedly, but he also passed title ix as well as the EPA.

It’s good to see this mentioned. I’m sometimes surprised by the good that Nixon did, despite my overall conclusion that he was unfit for office.

> The true left were to some extent tools of the soviet information warfare effort…

This deserves citation to back it up. Please provide links to credible sources.

You can follow down the rabbit hole here[1]. There is an anecdote of a Soviet spy working in post-war London. He frequented high society and people sometimes wondered what he did. On one occasion, someone muttered to him, something to the effect "what do you do, you never seem to be doing anything, are you a Soviet spy or something [laughter]" and he responds, "yes, of course I'm a soviet spy" and people laughed it off [what a funny bloke]. Point is, this interaction shows a sort of acceptance that one in their own circles could be a spy, they could joke about it, not caring it it were really true.


Huh. My reading of the anecdote is they laugh it off because they consider it absurd (no real spy would tell us they were!), more than acceptance and uncaring. Could be your telling or my reading. Is there more to it, or perhaps how it was related, that leads you to your interpretation rather than mine? I'm not doubting it; it's just my read.

The true left in the US predated Lenin. And support for the final Russian Revolution among them was mixed. But yes, the Soviets did push their agendas via left wing and antiwar groups. However, some of those efforts, such as the Soviet-American Friendship Society, were in fact focused on peace.

Or you know, to anyone willing to pay $20 to a corrupt cop/employee on wechat? Feels pretty public to me.

Not public, just the government. And Chinese government has better security than Equifax at least.

I doubt that.

Not quite apples to apples, but Equifax lost over 145 _million_ people's records. There are over 1.4 _billion_ Chinese. I'm not aware of the Chinese government loosing its list of people...

I'm not aware that the Chinese Government is obligated to disclose breaches.

That's a good point; though I am now wondering if the Equifax breech got noticed before it was owned up to.

Going back to the higher point; I do wonder what the Chinese Govornment's track record on cyber security actually is, compared to what we more usually hear reported.

I don’t know if I would go public in China if I noticed a breach like that. I have never lived there, but I imagine the climate encourages a bit more discretion.

A major breach would probably surface on the dark web or other places

Not if it was done by an intelligence agency that intends to keep it secret.

From personal experience having lived and worked there for years, their password practices are pretty atrocious. Passwords like 123456 meant for one administrator but shared with the entire team, for example, seemed to raise no eyebrows whatsoever. Not to mention information security practices in general... things like using cracked and pirated copies of Windows and not staying up to date. However, this was a long time ago and things may have improved.

Apple would have us believe that they're the privacy company. They're doing a good job with that marketing message. But what's more secure? How do Google, and Amazon compare? Do I have to run my own servers? Do I have not run servers? Do I have to keep a hardened device on my person at all time? What about backups?

I think the core issue uniting all of these recent concerns about Apple and China (or any other country) is how critical structural incentives and capabilities are when it comes to individual free, privacy, and security, and in turn the fundamental danger of centralization. I've seen a lot of criticism towards companies for "folding" to oppressive regimes or orders, comparisons to people or organizations being party to atrocities in the past, etc., but I think those often miss the point. It is generally unreasonable to expect companies to directly oppose powerful governments. By design they are not in fact governments themselves, mostly for better (though maybe rarely for worse). Conflicting laws and norms between sovereign polities can be directly opposed, and there is rarely a bright line for "worth giving up everything for." In general, I don't think it's that fruitful to expect humans not to be humans.

So it's a lot better if they just plain don't have the power (or at least not total power) in the first place. It's just like in infosec in general: the most secure information is the information that you don't ever have, you cannot be hacked for it or leak it. That's the only surefire way to avoid not merely abuse but even pressure for abuse, and it's here that I think Apple has made a big blunder even vs the rest of the tech industry. Yes the cloud is a big deal nowadays, but Apple's business model is uniquely well suited to supporting full non-cloud distributed usage models in addition as a differentiator from where so many other offerings have gone. It's fine if Apple has their own iCloud and App Store as the core principle source, but if they simply gave individual users and organizations the full and ungated ability to replicate that (in features if not breadth) locally then Apple could simply wash their hands of some of this without hassle (it could even let them get pickier elsewhere since there'd be a separate release valve).

Apple used to be great at this too, back in OS X 10.5/10.6 at least Mac OS X Server had a lot of interesting potential. Easy full mirrors of Software Update, Network Homes and NetBoot/NetInstall were awesome, etc. It's not hard to imagine them having gone further that route, and it's too bad they've kind of half-assed gone the other way despite being weaker at network services then their competitors anyway.

Legislatively from an American perspective this would also be the right way to try to fight back against authoritarian regimes: require American tech companies by law to offer decentralized options for owners of devices, like side-loading. If that's available then it would make the job of authoritarians significantly more challenging.

Call me a cynic, but I bet China has it all. One way or another.

The Chinese government is right to require all of it's citizens data to be stored in domestic datacenters.

The danger of the Chinese government accessing your data is 1) Non-existent if you didn't declare you're Chinese 2) Not any different than the danger of the US government accessing your data

By the way, since so many of you feel so strongly about your data being stored abroad, don't you think the Chinese should feel the same? Why should they trust their data to a foreign government?

> The Chinese government is right to require all of it's citizens data to be stored in domestic datacenters.


> Why should they trust their data to a foreign government?

The word "government" is creating a false equivalency because it covers a very broad range of entities:

Democratic governments are chosen by their citizens, operate under rule of law, and are dedicated to protecting their citizens rights and welfare, and to democracy and liberty at home and abroad (obviously, they are very imperfect in such things).

The Chinese government is an authoritarian dictatorship, an armed group that seized power ("political power grows out of the barrel a gun") and imposes itself on the people of China, and is dedicated to its own perpetuation.

>1) Non-existent if you didn't declare you're Chinese

This is ridiculous equivocation between a democratic society with a rule of law and an authoritarian regime. You're kidding yourself if you don't think the Chinese government has an interest in data owned by foreign nationals that they could gain access to.

Some people take the position that it's better for the US government to have access to Chinese people's data than for the Chinese government to have access their data because the US government is better (e.g. more due process).

I think one could make a decent case that in general if you are a citizen or resident of country X, you are probably better off having your data stored in some country Y that you are neither a citizen or resident of...simply because (1) Y has less reason to be interested in your data, and (2) if they do look at your data, it is less likely they can use what they find against you.

A counterargument might be that since Y has no connection to you, Y has less interest in protecting your data from third parties than your own country, X, would.

MLATs can throw a wrench in that, though.

Does PRISM count as due process? I get how americans could be biased thinking "I live here and nothing has happened to me", but that's a very naive mode of thinking. Masking strategic actions under the "just helping you from yourself" umbrella isn't new, but isn't very convincing either. It's like trump saying he'll nuke north korea because it's an oppressive regime. Caring doesn't work that way.

Serious question: what due process does a foreign citizen not in the US have?

> The Chinese government is right to require all of it's citizens data to be stored in domestic datacenters.

"The only proper purpose of a government is to protect man’s rights, which means: to protect him from physical violence. A proper government is only a policeman, acting as an agent of man’s self-defense, and, as such, may resort to force only against those who start the use of force. The only proper functions of a government are: the police, to protect you from criminals; the army, to protect you from foreign invaders; and the courts, to protect your property and contracts from breach or fraud by others, to settle disputes by rational rules, according to objective law. But a government that initiates the employment of force against men who had forced no one, the employment of armed compulsion against disarmed victims, is a nightmare infernal machine designed to annihilate morality: such a government reverses its only moral purpose and switches from the role of protector to the role of man’s deadliest enemy, from the role of policeman to the role of a criminal vested with the right to the wielding of violence against victims deprived of the right of self-defense. Such a government substitutes for morality the following rule of social conduct: you may do whatever you please to your neighbor, provided your gang is bigger than his." - from "For the New Intellectual"


No sewers? I like sewers.

I am sorry you are being downvoted as I live here and fully agree with your "same as anywhere" notion. One great example of this "everywhere else" is the EFF domestic surveillance post today: https://news.ycombinator.com/item?id=16446716

I do think that China would look at foreign residents or corporation's data, but they would really have to have a reason to care and this is a kind of moot point since if you had any secret data you cared about, you wouldn't be trusting third party cloud storage anyway.

Something that doesn't get enough attention.

iCloud Keychain stores the passwords, SSH keys, client side certificates etc for third party sites. That means that sites like Facebook, Google etc would be compromised on the biggest scale in history if Apple were to hand over encryption keys to the Chinese government. Not to mention the national security implications e.g. my work VPN credentials are in iCloud Keychain.

There is no way Apple would be stupid enough to allow this situation to persist without informing users unless they maintained the keys and it was a moot point. Otherwise they are inviting themselves up for all sorts of legal issues. Not to mention people who travel to China for holiday/work purposes.

Apple doesn't even have the encryption keys for iCloud Keychain. They've taken a very hardcore secure approach to this that is explicitly designed for "adversarial clouds". This isn't true for all iCloud data, but the most sensitive stuff like keychain and health data use end-to-end encryption.[1]

What's impressive is they've implemented a backup solution for this that still retains end-to-end encryption. They use HSMs to encrypt a keychain "escrow" backup using your device passcode. The HSMs protect against brute forcing and Apple has no way to bypass -- they literally put the firmware administration keys in a blender.[2] It's pretty cool.

[1] https://www.apple.com/business/docs/iOS_Security_Guide.pdf

[2] https://www.youtube.com/watch?v=BLGFriOKz6U&feature=youtu.be...

> Not to mention people who travel to China for holiday/work purposes.

Like a lot of Apple employees themselves, considering so much of the manufacturing is there. I would love to be a fly on the wall of their infosec team.

Exactly. And I worked at Apple and it's not like we were given special phones with enhanced security. It's just a standard VPN to log on to internal sites.

And of course the problem with keychains like this is that surely amongst one of your previous accounts is the password you used for your VPN and/or work email.

Interesting. Google treated remote access from China or employees based in China differently even before Aurora:


Maybe in ten years or more someone (Farris?) will describe the details behind the scenes about the cat-and-mouse, the unexplained outages, etc.

Interesting read. The ending is grim and sad when you read it now. Lee's words from 7 years ago now ring hollow and false:

Kai-Fu Lee now says that if you look at China’s behavior over a long horizon—20 or 30 years—it’s clear that the trend is toward more openness. The incidents that led to Google’s retreat were “a perturbation” in this movement, mainly because Chinese leaders had reached their limits. “The next generation will come up in less than two years,” he says. “They’re younger, more progressive, many American-trained, and many have worked in businesses and run banks—they’re going to be more open.”

Considering China back slided in the past decade (opening up before 2008 then hitting reverse afterwards), we will have to wait and see. The current leadership came of age during the cultural revolution, which probably has a lot to do with the current trend to authoritarianism, many them only got honorary degrees when the schools reopened in the late 70s. The next generation of leadership should be much much different.

Has it actually backslided, or has enforcement just caught up with the technological capabilities of the people trying to avoid it?

Was China actually more free in the 90s, or the 00s, or was it just easier to get away with it?

China was more open in the 80s, less open in the early 90s, and then increasingly open until 2008. After 2008, it went down hill.

> and then increasingly open until 2008

Could you cite any examples? I'm asking about China, not Hong Kong. Every time I ask this question, I am consistently pointed to repression in Hong Kong.

I’m only referring to mainland. 1980s obviously building up to 1989, where there was a huge regression after Tiananmen. Then it started opening up again, working it’s way to the Olympics to show the world that China was no longer closed socially and economically (we could even access Facebook and gmail back then, note that CNN was blocked in 2002 but not in 2008 and not today). After the Olympics, everything was cut back: more censorship, internet great fire wall blocking, crackdown in minority areas, and so on, building continuously until today.

Yeah, I don't know what kind of leaders he was thinking of when he said the next generation would come up in two years. At least at the very top, it might take decades.

This seems to be a global trend. Trump in the US, populism and fascists in Europe and Jinping in China.

You don’t understand how iCloud Keychain works and are spreading FUD. GP already linked the white papers which explain why what you are saying is inaccurate.

Some data stored on iCloud (like iCloud Keychain) is commingled (not quite the right word, but the right word escapes me — mixed up with) with passcodes and hardware keys from the local device. https://support.apple.com/en-us/HT202303


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact